527316a21b
system_server and app domains need to map dalvik-cache files with PROT_EXEC.
type=1400 msg=audit(13574814.073:132): avc: denied { execute } for pid=589 comm="system_server" path="/data/dalvik-cache/system@priv-app@SettingsProvider.apk@classes.dex" dev="mmcblk0p30" ino=684132 scontext=u:r:system_server:s0 tcontext=u:object_r:dalvikcache_data_file:s0 tclass=file
Apps need to map cached dex files with PROT_EXEC. We already allow this
for untrusted_app to support packaging of shared objects as assets
but not for the platform app domains.
type=1400 audit(1387810571.697:14): avc: denied { execute } for pid=7822 comm="android.youtube" path="/data/data/com.google.android.youtube/cache/ads1747714305.dex" dev="mmcblk0p30" ino=603259 scontext=u:r:platform_app:s0 tcontext=u:object_r:platform_app_data_file:s0 tclass=file
Change-Id: I309907d591ea6044e3e6aeb57bde7508e426c033
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
45 lines
1.6 KiB
Text
45 lines
1.6 KiB
Text
###
|
|
### Apps signed with the platform key.
|
|
###
|
|
|
|
type platform_app, domain;
|
|
permissive platform_app;
|
|
app_domain(platform_app)
|
|
platform_app_domain(platform_app)
|
|
# Access the network.
|
|
net_domain(platform_app)
|
|
# Access bluetooth.
|
|
bluetooth_domain(platform_app)
|
|
# Write to /cache.
|
|
allow platform_app cache_file:dir rw_dir_perms;
|
|
allow platform_app cache_file:file create_file_perms;
|
|
# Read from /data/local.
|
|
allow platform_app shell_data_file:dir search;
|
|
allow platform_app shell_data_file:file { open getattr read };
|
|
allow platform_app shell_data_file:lnk_file read;
|
|
# Populate /data/app/vmdl*.tmp, /data/app-private/vmdl*.tmp files
|
|
# created by system server.
|
|
allow platform_app { apk_tmp_file apk_private_tmp_file }:file rw_file_perms;
|
|
allow platform_app apk_private_data_file:dir search;
|
|
# ASEC
|
|
allow platform_app asec_apk_file:dir create_dir_perms;
|
|
allow platform_app asec_apk_file:file create_file_perms;
|
|
# Access download files.
|
|
allow platform_app download_file:file rw_file_perms;
|
|
# Allow BackupManagerService to backup all app domains
|
|
allow platform_app appdomain:fifo_file write;
|
|
|
|
#
|
|
# Rules for all platform app domains.
|
|
#
|
|
|
|
# App sandbox file accesses.
|
|
allow platformappdomain platform_app_data_file:dir create_dir_perms;
|
|
allow platformappdomain platform_app_data_file:notdevfile_class_set create_file_perms;
|
|
allow platformappdomain platform_app_data_file:file execute;
|
|
# App sdcard file accesses
|
|
allow platformappdomain sdcard_type:dir create_dir_perms;
|
|
allow platformappdomain sdcard_type:file create_file_perms;
|
|
# Access to /data/media.
|
|
allow platformappdomain media_rw_data_file:dir create_dir_perms;
|
|
allow platformappdomain media_rw_data_file:file create_file_perms;
|